In a recent meeting with a customer group on security topics, one of the attendees asked everybody else whether they had implemented system-to-system encryption behind the firewalls in their internal landscape. Only one attendee said yes. And it applied only for one system deemed extremely critical. To my astonishment nobody considered this strange or negligent. … More Encryption of communication paths – it’s so easy but often not implemented
Authorization Management is one of the unsolved problems of IT security. The problem is not that there are no access management capabilities in regards to authorizations. On the contrary, there are too many. No unifying standard or tool has materialized which is due to the fact that technologies are different and thus the underlying authorization … More Authorization management unsolved – or the continuos role access management inflation
You have a system that has long been out of maintenance. Although you might have implemented up to latest available patch and everything’s running smoothly, there is no beating around the bush: Your system is insecure. The software vendors as well as security researchers will have found security vulnerabilities that are getting fixed in higher releases, … More Your system or application is definitely insecure, if…
When I studied at University one of my professors would always say, that we have to get a feel for trouble to succeed in life. (In German: “Sie müssen immer Störgefühle bekommen”.) Others would call it follow your intuition or get a hunch, but whatever you want to name it, one of the most prominent … More Social Engineering is alive and kicking
The European Court ruled recently that the “Safe Harbor” framework is null and void. The decision publicly nicknamed the “Facebook court decision” is not only bothering social communities but many multinational companies that use “Safe Harbor” to exchange or store private data from the EU in the US. What to do now? Many discussions are going on, … More The United States are not a „Safe Harbor“
We could start to vote for the security breach of the week. We would never be shy of nominees. What is worse however is that it does not make sense to vote on a corresponding security leak of the week. Recent analysis shows that it’s almost always failure to implement basic security settings. The hit … More Same old, same old
Every year they’ll chase a different pig through the village, as we say in German. This year in IT security it is cybersecurity. Especially the United States have funded research on this topic and created frameworks as if there is no tomorrow. There are conferences brimming with enticing titles like “Meet the rock stars of … More What is cybersecurity? – Or are you fully buzzword compliant yet?
I had lunch with a colleague lately who was wondering what happens with all the stolen information from data breaches, where we have seen quite a few lately. Latest breaches included personal information like credit card data, identity data, and fingerprints… A research article on DLP products published in the July/August 2015 IEEE Security and Privacy magazine arrives at … More What happens with all the stolen data?
When I studied Economics in the 90ies, Gary S Becker received the Nobel Price for his extension of the microeconomic analysis to include human behavior and social aspects including marriage, discrimination and for example having sex with your spouse. That raised a few eye-browse back then. Nowadays I am wondering when an economist will publish … More The economics of selling security vulnerabilities – or there is a market for everything
Security is such a vast topic and there is always a new attack on the horizon. I am interested to hear what other security experts read on a regular basis. In this blog I have put together which newsletters I try (:-)) to read on a daily basis. https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=PER338-EDC&searchResults=Y (the IEEE flagship magazine on privacy … More How do you stay up to snuff on security?